In today’s world, pretty much any company, even small to medium-sized companies, needs a cybersecurity policies and an overall cybersecurity plan. In other words, a plan for how to protect the business from a malicious cyber attack and, just as importantly, how to respond if such an attack is successful. But for many businesses it’s hard to know where to start. A recent article on BizTech suggests a “Risk-Based Approach to Cybersecurity” for small retailers. This approach, however, is a good starting point for any small-to-medium-sized business, not just for retailers.
Since the end of 2011, the percentage of cyber attacks targeted at small businesses has risen from 18% to 36%. And of those small businesses that were attacked successfully, 60% of them closed within six months of the attack (staysafeonline). So while making a cybersecurity plan may not seem like a top priority, in general small businesses can’t handle the legal, financial, or reputational risks that come with a data breach. And for some, the legal ramifications would put them under before there was even a thought given to their reputation.
So what exactly is a risk-based approach?
A risk-based approach focuses on understanding a company’s genuinely critical data assets and systems, and then the risks, be they financial, reputational, or regulatory, should those assets be compromised. It keeps the focus of finite resources on those assets most worth protecting and acknowledges that most businesses do not have the near-infinite information security budgets that may exist in governments and large enterprises.
The first step in developing a risk-based plan is to actually understand your risks. First and foremost, what data, if lost or compromised, could mean the end of your company? This is done through a risk assessment, which is exactly what is sounds like: assessing the risks, or important data/information within your company that could be the target of an attack.
After you understand your risks, you will need to go through what is called a “security audit”. While there are many different definitions of a security audit, it’s essentially performing security scans to detect vulnerabilities, talking to users to understand current security practices (or lack thereof) and analyzing their hardware and systems. These steps should generally serve to uncover areas of vulnerability in your company and can even uncover malicious activity already in progress. Security audits can cost from several thousands of dollars to tens of thousands with a median of around $10,000.
Once you know the risks, and your vulnerabilities, coming up with a plan becomes the next challenge. There are a lot of resources online to help you develop these plans and outline the necessary policies and procedures for your company. But how do you put this into action?
Good cybersecurity plans consist of these major areas:
At this point, you should be mostly done with number one, but two through five can be tricky, expensive, and potentially disastrous if not done well. We’ve talked about it before, but it can’t be reinforced enough that effective cybersecurity is more than just installing antivirus software and hoping for the best. A real cybersecurity strategy includes layers of defense—antivirus and anti-malware software, network-level security, data protection, and potentially much more—all designed to work together and, more importantly, designed and sized with your risk profile and budget in mind.
And even the best plans are quickly useless if all of those tools aren’t managed and monitored by someone who knows what they’re doing or if the plans are never re-evaluated and updated as your business evolves.
While there are resources available like the FCC’s Cyberplanner to help create a cybersecurity plan, Few small- or medium-sized businesses are equipped to analyze their current systems, develop effective plans and policies, implement them, and then maintain them for the long-term.
All in all the cost of taking a risk-based approach and creating a policy can cost in the thousands, and that’s without implementation help or ongoing monitoring and updates. And without that constant monitoring, all of the best laid plans may not protect your assets from an attack. Our recommendation is to find a trusted partner that can help you assess your business risks and develop a plan to protect your most precious assets—even if you decide that you’re comfortable operating “without a net”, you’re still better off going through a simple risk assessment with an IT expert to help understand the risks you’re taking.